Re: How secure is Preupgrade? Answer: Not.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Björn Persson wrote, On 05/21/2008 08:54 PM:

Beartooth Sciurivore wrote:

	Dumb question, probably : if you install and run preupgrade
according to http://fedoraproject.org/wiki/PreUpgrade, BUT let it stop
after downloading boot images, is there some user-friendly thing you can
do then to make it secure? Something on the order of getting into a
directory and commanding, in effect, "check all signatures"?
No. You can check the RPM packages in /var/cache/yum/anaconda-upgrade/packages with rpm --checksig (assuming you have known good public keys in the RPM database, but that's required for Yum too). The big problem is that you can't check the boot images in /boot/upgrade, because nobody has made signatures for them. Making signatures is easy, but only the owners of the Fedora project's private key can do it. 


	Or had we just better wait till PreUpgrade 1.0 comes out? Or ...?


Don't hold your breath. Checking the packages is scheduled for 1.1:

https://fedorahosted.org/preupgrade/ticket/7
Checking the boot images is scheduled for 1.2, but that ticket talks about checksums, not signatures, so I think it's only intended to protect against accidental corruption, not malicious tampering: 

https://fedorahosted.org/preupgrade/ticket/8
I was going to suggest checking against the md5/sha1 sums in the jigdo's until I checked and noted that the jigdo's[1] are not signed (not even with a detached sig). Though at least for me the resulting iso's (from the jigdo's I used) passed the sha1sums that were signed by RH[2] (using an RH/fedora public key I have had for a few years). So we are still looking at a second|third hand (sig on an sha1, of 3 of the isos[3], that contained the boot images) confirmation, but the ones I got at least have a _chance_ of being the right ones.
Note, I am not suggesting that there should not be sigs done on the install media, I was just seeing how close we could get with today's available meta data. And I am not as comfortable as I was 5 minutes ago. :|
[1] http://download.fedora.redhat.com/pub/fedora/linux/releases/9/Fedora/i386/jigdo/ 
[2] http://fedoraproject.org/en/verify
[3] Fedora-9-i386-DVD, Fedora-9-i386-disc1, Fedora-9-i386-netinst
--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux